rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters

Severity:: Medium

Description

When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code.

Users who access the deliberately constructed URL are affected.

Recommendation

Update the rsshub package to the latest compatible version. Followings are version details:

Affected version(s): < 1.0.0-master.c910c4d
Patched version(s): 1.0.0-master.c910c4d

References

GHSA-32gr-4cq6-5w5q
CVE-2023-26491
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
tarteaucitron.js vulnerable to Cross-site Scripting - CVE-2023-3620
Jodit Editor vulnerable to cross-site scripting - CVE-2023-42399
editor.md vulnerable to Cross-site Scripting - CVE-2023-29641

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; rsshub

Anything's wrong? Let us know Last updated on March 13, 2023